Newly discovered malware dubbed “Infamous Chisel” targets crypto wallets and other Android apps, according to a U.K. government report on Sept. 1.

The U.K.’s National Cyber Security Centre (NCSC) said that the malware works by scanning various directories on infected mobile devices and exfiltrating data.

The malware is known to extract data from at least three cryptocurrency wallets: Binance App, Coinbase Wallet, and Trust Wallet. Infamous Chisel also extracts data from the Brave and Opera browsers, both of which have cryptocurrency features.

Because the malware is capable of extracting data in general, other apps are also targeted. PayPal, Dropbox, Firefox, Telegram, Skype, WhatsApp, Discord, Viber, and Google Chrome are among the other apps that are vulnerable to attack. A total of 35 application directories, including certain Android system directories, are scanned.

The National Cyber Security Centre’s report did not explicitly state that any data stolen from those apps could allow attackers to steal cryptocurrency, nor did it state whether Infamous Chisel has led to the theft of any cryptocurrency at all. It is possible that any information stolen does not provide attackers with full access to crypto accounts.

Russia’s Sandworm is behind the threat

The latest report notes that Infamous Chisel is associated with Sandworm, a state-sponsored hacker group that is part of Russia’s military intelligence service, GRU. The group is also known by other names including Telebots, Voodoo Bear, and Iron Viking. The group notably launched a high-profile ransomware attack against Ukraine in November 2022 and has carried out other earlier attacks as well.

Sandworm is currently using Infamous Chisel to steal information related to the Ukrainian military. The latest report does not describe any profit motives.

Various international cybersecurity groups have recognized the threat, including those in the U.S., the U.K., New Zealand, Canada, and Australia.